In short
Windows Server 2016 reaches end of extended support on January 12, 2027. After that date, Microsoft stops shipping security updates and patches. Servers keep running, but every new vulnerability stays open forever unless you pay for Extended Security Updates (ESU), which roughly costs 75% of a new license per year and doubles annually for three years. The right move for most small businesses is to migrate to Windows Server 2025 before the deadline, using the side-by-side method Microsoft officially recommends: stand up a fresh Server 2025 VM, migrate AD DS, file shares, SQL Server, and apps across, then decommission the old box. This guide walks the full procedure step by step. Need a hand? Raff Technologies migrates new customers onto Windows Server 2025 for free; you pay only for the destination VM. The offer is below.
Why this matters now (and why January 2027 is closer than it feels)
There are three reasons not to wait:
1. Migrations take months in practice, not weeks.
A "one server" small-business environment running AD DS, file shares, SQL Server, and a line-of-business app is realistically a 4-8 week project when you factor in: testing the new server, validating app compatibility, scheduling the cutover during a maintenance window (which usually means a weekend, which usually means waiting two or three weeks for one that works), training users on any small workflow changes, and dealing with the inevitable "wait, what about X" discovery items. If you start in October 2026, you finish in December. If you start in December 2026, you miss the deadline. The credible window to start is mid-2026.
2. ESU costs explode.
Extended Security Updates are Microsoft's paid lifeline for organizations that genuinely can't migrate in time. Pricing: roughly 75% of the original license cost per year, doubling each subsequent year, capped at three years. For Server 2016 Standard at ~$1,069 license cost, you're looking at roughly $802 (Year 1), $1,604 (Year 2), $3,208 (Year 3), per server. That's $5,614 over three years for one server, just to keep getting patches. A new Server 2025 Standard license is cheaper than two years of ESU. ESU only makes sense if you have a hard application dependency that can't migrate.
3. Compliance and cyber insurance.
Many frameworks (PCI DSS, HIPAA, SOC 2, ISO 27001) require that production systems run a vendor-supported OS. Cyber insurance policies increasingly include lifecycle clauses that void coverage for breaches involving unsupported software. If you're audited or breached after January 12, 2027 while running unpatched Server 2016, the financial exposure can dwarf the migration cost.
Who this guide is for
You run one or two Windows Servers for a 10 to 100 employee business. Typically that means a single VM doing everything: Active Directory Domain Services, file shares, SQL Server, line-of-business apps, sometimes Remote Desktop Services. The server has been ticking along for 8+ years. It probably runs Server 2016, sometimes Server 2012 R2 (which is even further out of support and treated effectively the same way here, with one extra hop in the upgrade path).
If you have multiple specialized servers (separate DC, separate file server, separate SQL Server, separate RDS host), this guide still applies; you just repeat the relevant procedure per server. If you have forest with multiple domains or multiple sites with replication, you're in enterprise territory and should engage a consultant; the principles are the same but the operational complexity goes beyond what a single guide covers.
This guide does not cover:
- Upgrading the Hyper-V host OS if your Server 2016 is itself a hypervisor running guest VMs. That's a separate procedure.
- Exchange Server migration. Exchange 2016 has its own EOL clock (October 14, 2025, already passed) and a completely different migration path.
- WSUS, ADFS, or Certificate Services specifics. Each has its own migration nuances.
What changed: why side-by-side beats in-place for 2026
Microsoft's official recommendation for Server 2016 → 2025 is a side-by-side migration, also called clean-install-and-migrate. From Microsoft Learn:
The recommended way to upgrade a domain is to use a clean OS install to promote new servers to DCs that run a newer version of Windows Server and demote the older DCs as needed. This method is preferable to upgrading the operating system of an existing DC, which is also known as an in-place upgrade. A clean OS install ensures you get the full Active Directory performance improvements included in new versions of Windows Server.
Three reasons this matters:
1. In-place upgrades carry forward 8+ years of cruft. Registry artifacts, half-uninstalled software, broken WMI providers, leftover services. A 2016 server that's been running since 2018 has accumulated layers of state nobody documented. In-place upgrade carries it all forward into 2025. Side-by-side gives you a clean machine.
2. AD DS in-place upgrades are riskier. Schema changes are irreversible. Microsoft's own docs caution: "Changes to the domain and forest functional levels are irreversible." If something goes sideways during an in-place AD DS upgrade, your recovery is "restore from a verified backup," and many small businesses don't have one of those. Side-by-side gives you the old DC as a fallback throughout the migration.
3. The in-place path from 2016 to 2025 is technically supported but operationally awkward. Microsoft supports direct 2016 → 2025 upgrades in some configurations, but adds prerequisites (manual adprep /forestprep, current cumulative updates, validated functional levels). Each prerequisite is another place to fail.
When in-place upgrade is acceptable: homelab, single-purpose non-production server, fully backed-up environment where you've tested the restore. For production with real users and data, follow the side-by-side path below.
![]()
What you'll need
- A new Raff Windows Server 2025 VM with enough resources for your destination workload. For a typical 10-100 employee combined DC + file server + SQL + app server, recommend the Heavy Workload plan ($63.99: 8 vCPU / 16 GB RAM / 240 GB NVMe). Lighter workloads fit on the Production plan ($35.99: 4 vCPU / 8 GB / 120 GB).
- Network connectivity between your existing Windows Server 2016 (on-premises, in a colo, or on another cloud like AWS, Azure, or GCP) and the new Raff Windows Server 2025. Typically a site-to-site IPsec VPN between your existing network and the Raff VPC where the new server lives. Raff's free migration offer below includes setting this up for you.
- Admin credentials on both servers (Enterprise Admin and Schema Admin on the source domain).
- A current, tested backup of the source server. Validate the restore works on a separate VM before you start. This is your fallback if anything goes wrong.
- A documented inventory of what's on the old server: roles, installed apps, shares, scheduled tasks, custom services, users and groups, group policies, file shares with permissions, SQL databases, certificates, DNS zones.
- A maintenance window for cutover (typically 4-8 hours, scheduled for a weekend evening).
- Estimated total time: 4-8 weeks elapsed from kickoff to decommission. Active hands-on work is roughly 20-40 hours over that window.
Before you dive into the procedure: if your destination is a Raff Windows Server 2025, you don't have to run this yourself. Raff plans and executes the full side-by-side migration for new customers, free beyond the destination VM's monthly cost, with a scheduled cutover you're in the room for.
Phase 1: Pre-flight checks on the source server
Before touching anything, validate the source server is healthy. Run these on the Server 2016 box.
Check AD DS health
# Run AD DS diagnostics dcdiag /v # Replication health (only matters if you have multiple DCs) repadmin /replsummary repadmin /showrepl
Look for passed on every test in dcdiag. Any failed tests get fixed before migration. The most common failures are DNS misconfigurations and time sync drift; both need to be clean before adding a new DC to the domain.
Check current functional level
# Check domain and forest functional levels Get-ADDomain | Format-List Name, DomainMode Get-ADForest | Format-List Name, ForestMode
You need Windows Server 2016 domain and forest functional level as the minimum to introduce a Server 2025 DC. If the levels show Windows2016Domain and Windows2016Forest, you're good. If they're lower (e.g., Windows2012R2Domain), raise them first using Active Directory Domains and Trusts console (right-click the domain, "Raise Domain Functional Level"). Functional level raises are irreversible.
Check SYSVOL replication is DFSR (not FRS)
# Check SYSVOL replication engine Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating Sysvols" -Name LocalState
If LocalState is 3 (ELIMINATED), you're on DFSR and good to go. If the key doesn't exist or has a different value, you're still on FRS, which is not supported for Server 2025 DCs. Migrate SYSVOL from FRS to DFSR before adding the 2025 DC. (Microsoft has a separate FRS-to-DFSR migration guide; this is rare on 2016 installs but common on environments that upgraded from older versions.)
Identify FSMO role holders
# Find which DC holds each FSMO role netdom query fsmo
Output shows the Schema master, Domain naming master, PDC, RID master, and Infrastructure master. In a single-DC environment, all five roles are on your one server. Note them down; you'll transfer them to the new 2025 DC later.
Inventory shares and permissions
# List all SMB shares with paths and descriptions Get-SmbShare | Format-Table Name, Path, Description -AutoSize # For each share, capture full ACL Get-SmbShare | ForEach-Object { Write-Host "`n=== Share: $($_.Name) ===" -ForegroundColor Cyan Get-SmbShareAccess -Name $_.Name | Format-Table } # Capture NTFS permissions on share root paths Get-SmbShare | Where-Object Special -eq $false | ForEach-Object { Write-Host "`n=== NTFS ACL: $($_.Path) ===" -ForegroundColor Cyan Get-Acl $_.Path | Format-List }
Save this output. You'll reference it after migration to confirm permissions transferred correctly.
Inventory local users and groups
Get-LocalUser | Format-Table Name, Enabled, LastLogon, Description Get-LocalGroup | Format-Table Name, Description Get-LocalGroup | ForEach-Object { Write-Host "`n=== Group: $($_.Name) ===" Get-LocalGroupMember -Name $_.Name | Format-Table }
(In a domain environment, most users live in AD not local; this matters more for the file server and app server.)
Document app dependencies
For each line-of-business app installed:
- Vendor name and product name with version
- Whether it's certified for Server 2025 (check the vendor's compatibility matrix)
- Where it stores data (SQL database, flat files in
C:\ProgramData\Vendor, etc.) - License keys (often locked to hostname or hardware ID; you may need vendor support during the move)
- Any service accounts it uses
This step takes the longest. Don't skip it. The number-one cause of migration disasters is "we forgot about the QuickBooks server that the accounting team uses once a quarter."
Phase 2: Prepare the new Windows Server 2025
Provision your new Raff Windows Server 2025 VM. Hostname can be whatever your naming convention dictates; we'll use NEW-DC-01 in examples below.


